subject:"\(allura\) 07\/08\: \[#8536\] don't use jinja for site notifications; add autoescape"

(allura) 07/08: [#8536] don't use jinja for site notifications; add autoescape

2024-02-23 Thread gcruz

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 63f12b9a7d754e5bf02a1aa9e4e1f9c17b7aa87e
Author: Dave Brondsema 
AuthorDate: Thu Feb 15 12:05:00 2024 -0500

[#8536] don't use jinja for site notifications; add autoescape
---
 Allura/allura/lib/helpers.py   | 24 ++
 Allura/allura/lib/widgets/search.py|  1 +
 Allura/allura/public/nf/js/allura-base.js  |  2 +-
 .../templates/jinja_master/theme_macros.html   |  2 +-
 .../jinja_master/theme_macros.html |  2 +-
 Allura/allura/tests/test_helpers.py| 19 +
 6 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py
index bc52a5638..26dd2d94f 100644
--- a/Allura/allura/lib/helpers.py
+++ b/Allura/allura/lib/helpers.py
@@ -790,10 +790,26 @@ def render_any_markup(name, txt, code_mode=False, 
linenumbers_style=TABLE):
 
 
 @pass_context
-def subrender_jinja_filter(context, value):
-_template = context.eval_ctx.environment.from_string(value)
-result = _template.render(**context)
-return result
+def subrender_jinja_filter(context, html_tmpl: str) -> Markup:
+# jinja templates can execute potentially dangerous things
+#   _template = context.eval_ctx.environment.from_string(html_tmpl)
+#   return _template.render(**context)
+
+# so instead, support just a few things
+
+limited_vars = {
+'{{ c.project.url() }}': lambda: c.project.url(),
+}
+for var, fn in limited_vars.items():
+if var not in html_tmpl:
+continue
+try:
+val = fn()
+except Exception:
+log.exception(f'Could not replace {var} in jinja "subrender" for 
site notification')
+continue
+html_tmpl = html_tmpl.replace(var, val)
+return Markup(html_tmpl)
 
 
 def nl2br_jinja_filter(value):
diff --git a/Allura/allura/lib/widgets/search.py 
b/Allura/allura/lib/widgets/search.py
index cec39ad44..c772992d1 100644
--- a/Allura/allura/lib/widgets/search.py
+++ b/Allura/allura/lib/widgets/search.py
@@ -53,6 +53,7 @@ class SearchHelp(ffw.Lightbox):
 super().__init__()
 # can't use g.jinja2_env since this widget gets imported too early :(
 jinja2_env = jinja2.Environment(
+autoescape=True,
 loader=jinja2.PackageLoader('allura', 'templates/widgets'))
 self.content = 
Markup(jinja2_env.get_template('search_help.html').render(dict(
 comments=comments,
diff --git a/Allura/allura/public/nf/js/allura-base.js 
b/Allura/allura/public/nf/js/allura-base.js
index 779f4ebca..839408dee 100644
--- a/Allura/allura/public/nf/js/allura-base.js
+++ b/Allura/allura/public/nf/js/allura-base.js
@@ -209,7 +209,7 @@ $(function(){
 });
 
 $('#site-notification .btn-close').click(function(e) {
-var $note = $(this).parent();
+var $note = $(this).parents('section:first');
 $note.hide();
 var note_id = $note.attr('data-notification-id');
 var cookie = $.cookie('site-notification');
diff --git a/Allura/allura/templates/jinja_master/theme_macros.html 
b/Allura/allura/templates/jinja_master/theme_macros.html
index e06f5d7a2..c9ee789b3 100644
--- a/Allura/allura/templates/jinja_master/theme_macros.html
+++ b/Allura/allura/templates/jinja_master/theme_macros.html
@@ -178,7 +178,7 @@ 
http://stackoverflow.com/questions/26582731/redefining-imported-jinja-macros
 {% if note %}
 
 
-{{ note.content|subrender|safe }}
+{{ note.content|subrender }}
 Close
 
 
diff --git a/Allura/allura/templates_responsive/jinja_master/theme_macros.html 
b/Allura/allura/templates_responsive/jinja_master/theme_macros.html
index 5c639115d..dd0e70ed1 100644
--- a/Allura/allura/templates_responsive/jinja_master/theme_macros.html
+++ b/Allura/allura/templates_responsive/jinja_master/theme_macros.html
@@ -195,7 +195,7 @@ 
http://stackoverflow.com/questions/26582731/redefining-imported-jinja-macros
 {% if note %}
 
 
-{{note.content|safe}}
+{{ note.content|subrender }}
 
   {#  .btn-close instead of data-close, since allura-base.js 
handles closing it, not Foundation #}
   
diff --git a/Allura/allura/tests/test_helpers.py 
b/Allura/allura/tests/test_helpers.py
index 9a12062bd..bb7908c9b 100644
--- a/Allura/allura/tests/test_helpers.py
+++ b/Allura/allura/tests/test_helpers.py
@@ -24,6 +24,8 @@ import time
 import PIL
 from mock import Mock, patch
 from tg import tmpl_context as c
+from tg import config
+
 from alluratest.tools import module_not_available
 from webob import Request
 from webob.exc import HTTPUnauthorized
@@ -346,6 +348,23 @@ def

(allura) 07/08: [#8536] don't use jinja for site notifications; add autoescape

2024-02-15 Thread brondsem

This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 997a58206dcd37dfe8d46776fbb76fbb0f9a6e4a
Author: Dave Brondsema 
AuthorDate: Thu Feb 15 12:05:00 2024 -0500

[#8536] don't use jinja for site notifications; add autoescape
---
 Allura/allura/lib/helpers.py   | 24 ++
 Allura/allura/lib/widgets/search.py|  1 +
 Allura/allura/public/nf/js/allura-base.js  |  2 +-
 .../templates/jinja_master/theme_macros.html   |  2 +-
 .../jinja_master/theme_macros.html |  2 +-
 Allura/allura/tests/test_helpers.py| 19 +
 6 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py
index bc52a5638..26dd2d94f 100644
--- a/Allura/allura/lib/helpers.py
+++ b/Allura/allura/lib/helpers.py
@@ -790,10 +790,26 @@ def render_any_markup(name, txt, code_mode=False, 
linenumbers_style=TABLE):
 
 
 @pass_context
-def subrender_jinja_filter(context, value):
-_template = context.eval_ctx.environment.from_string(value)
-result = _template.render(**context)
-return result
+def subrender_jinja_filter(context, html_tmpl: str) -> Markup:
+# jinja templates can execute potentially dangerous things
+#   _template = context.eval_ctx.environment.from_string(html_tmpl)
+#   return _template.render(**context)
+
+# so instead, support just a few things
+
+limited_vars = {
+'{{ c.project.url() }}': lambda: c.project.url(),
+}
+for var, fn in limited_vars.items():
+if var not in html_tmpl:
+continue
+try:
+val = fn()
+except Exception:
+log.exception(f'Could not replace {var} in jinja "subrender" for 
site notification')
+continue
+html_tmpl = html_tmpl.replace(var, val)
+return Markup(html_tmpl)
 
 
 def nl2br_jinja_filter(value):
diff --git a/Allura/allura/lib/widgets/search.py 
b/Allura/allura/lib/widgets/search.py
index cec39ad44..c772992d1 100644
--- a/Allura/allura/lib/widgets/search.py
+++ b/Allura/allura/lib/widgets/search.py
@@ -53,6 +53,7 @@ class SearchHelp(ffw.Lightbox):
 super().__init__()
 # can't use g.jinja2_env since this widget gets imported too early :(
 jinja2_env = jinja2.Environment(
+autoescape=True,
 loader=jinja2.PackageLoader('allura', 'templates/widgets'))
 self.content = 
Markup(jinja2_env.get_template('search_help.html').render(dict(
 comments=comments,
diff --git a/Allura/allura/public/nf/js/allura-base.js 
b/Allura/allura/public/nf/js/allura-base.js
index 779f4ebca..839408dee 100644
--- a/Allura/allura/public/nf/js/allura-base.js
+++ b/Allura/allura/public/nf/js/allura-base.js
@@ -209,7 +209,7 @@ $(function(){
 });
 
 $('#site-notification .btn-close').click(function(e) {
-var $note = $(this).parent();
+var $note = $(this).parents('section:first');
 $note.hide();
 var note_id = $note.attr('data-notification-id');
 var cookie = $.cookie('site-notification');
diff --git a/Allura/allura/templates/jinja_master/theme_macros.html 
b/Allura/allura/templates/jinja_master/theme_macros.html
index e06f5d7a2..c9ee789b3 100644
--- a/Allura/allura/templates/jinja_master/theme_macros.html
+++ b/Allura/allura/templates/jinja_master/theme_macros.html
@@ -178,7 +178,7 @@ 
http://stackoverflow.com/questions/26582731/redefining-imported-jinja-macros
 {% if note %}
 
 
-{{ note.content|subrender|safe }}
+{{ note.content|subrender }}
 Close
 
 
diff --git a/Allura/allura/templates_responsive/jinja_master/theme_macros.html 
b/Allura/allura/templates_responsive/jinja_master/theme_macros.html
index 5c639115d..dd0e70ed1 100644
--- a/Allura/allura/templates_responsive/jinja_master/theme_macros.html
+++ b/Allura/allura/templates_responsive/jinja_master/theme_macros.html
@@ -195,7 +195,7 @@ 
http://stackoverflow.com/questions/26582731/redefining-imported-jinja-macros
 {% if note %}
 
 
-{{note.content|safe}}
+{{ note.content|subrender }}
 
   {#  .btn-close instead of data-close, since allura-base.js 
handles closing it, not Foundation #}
   
diff --git a/Allura/allura/tests/test_helpers.py 
b/Allura/allura/tests/test_helpers.py
index 9a12062bd..bb7908c9b 100644
--- a/Allura/allura/tests/test_helpers.py
+++ b/Allura/allura/tests/test_helpers.py
@@ -24,6 +24,8 @@ import time
 import PIL
 from mock import Mock, patch
 from tg import tmpl_context as c
+from tg import config
+
 from alluratest.tools import module_not_available
 from webob import Request
 from webob.exc import HTTPUnauthorized
@@ -346,6 +348,23 @@

(allura) 07/08: [#8536] don't use jinja for site notifications; add autoescape

(allura) 07/08: [#8536] don't use jinja for site notifications; add autoescape

2 matches

Site Navigation

Mail list logo

Footer information